[jira] [Commented] (SENTRY-1032) Rename shell command group/role shell commands and implement with solr shell

Fri, 29 Jan 2016 12:11:44 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124124#comment-15124124
 ] 

Gregory Chanan commented on SENTRY-1032:
----------------------------------------

Here's my thinking [~sravya]:

- I don't think we should use the term "grant" when talking about roles and 
groups because it overloads the term with respect to privileges.  Let's reserve 
the term grant for privileges.  If I say "grant x to y" and we respect the 
above I know x is a privilege and y is a role.  Less thinking involved.
-  On "Theoretically I do not see a difference between "adding a group to a 
role" versus "adding a role to a group"": my argument for "add a group to role" 
versus "add a role to a group" is symmetry between users and groups.  Groups 
are collections of users and roles are collections of groups.  You don't say 
"add a group to a user", you say "add a user to a group", so you should say 
"add a group to role" not "add a role to group".
- "Also, all our client apis use addRoleToGroups deleteRoleFromGroups" -- the 
reason I brought this up with the shell is that this is the first time these 
terms are really exposed to the end user.  They should be as clear as possible 
in that case; the client apis are more internal and we can evolve them 
compatibly as we go.

I'm interested in your point that "groups come first".  Can you describe that 
workflow?  I thought that the role has to exist before you can associate a 
group with it.  Certainly we should be guided by the user's workflow here -- 
maybe we just need a different term than "add" or "grant".



> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>
>                 Key: SENTRY-1032
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1032
>             Project: Sentry
>          Issue Type: Task
>          Components: Service
>    Affects Versions: 1.7.0
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SENTRY-1032.patch
>
>
> --add_role_group is a bit confusing because the command is to add group to 
> role (i.e. the objects are reversed).  Let's change this before it is 
> released and we need to support backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr.  Let's do that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to